The difference is that NAT doesn't track the counter party, so after you reached out to the DNS, any other service can use the opened port to connect to your PC.

With a stateful firewall, it tracks that the port was opened only used for the DNS server. If a connection to that port from a different IP address than the DNS server is made, the firewall will block it.